thames house mi5
The MI5 headquarters at Thames House in London Reuters

Privacy International (PI) has released a fresh batch of letters it claims demonstrates how UK intelligence agencies GCHQ and MI5 have bent the rules around surveillance to favour mass collection of communications data with minimum levels of oversight.

The previously undisclosed documents outline messages sent in 2004 from legal representatives from the two spy agencies in question to Sir Swinton Thomas, who was the interception of communications commissioner (ICC) at the time.

In an official capacity, Thomas held a key oversight role however, according to campaigning organisation Privacy International, the letters clearly show the "government's troubling history of over-reaching in order to expand its surveillance powers while minimising safeguards."

The first letter, sent in May 2004 from the Home Office, which oversees the activities of MI5, urges Thomas to permit the agency to conduct collection for a so-called 'database project' under the Telecommunications Act 1984 rather than the more transparent Regulation of Investigatory Powers Act 2000 (Ripa).

The Home Office official said: "The only practical difference between the two sets of provisions is if [Ripa] were used, a new notice would need to be issued every month [...] involving a fresh consideration of the necessity and proportionality issues. This would not be the case under section 94 [of the Telecommunications Act]."

While the letters show that Thomas initially appeared hesitant to provide authorisation, he eventually gave in to the government's requests. "On reconsideration, and in light of your letter, I have revised my view," he wrote. "I am also impressed by the considerable and, if possible to be avoided, inconvenience in following the [Ripa] procedure in the database proposals."

In another letter dated 18 October 2004, GCHQ representatives wrote to Thomas following a recent visit he had completed to its Cheltenham HQ. Like the MI5 messages, the document discussed whether its collection of bulk communications data had legal backing under the Telecommunications Act rather than Ripa.

"Communications data is an increasingly important tool in GCHQ, especially in the fight against global terrorism and serious crime," the agency asserted. Then, in more detail, it outlined how the collection system was set up at the time.

"Huge volumes of data are acquired (about 40m bits of data a day). There are two databases at GCHQ holding communications data acquired in bulk – known as [Redacted]. Ideally all the material would be held on a single database, but the data is configured differently by the CSPs," it said.

It added: "We would contend that the transfer of data to our databases pursuant to section 94 directions is in accordance with the law [...] there are very real practical difficulties in GCHQ being required to obtain a Ripa authorisation in respect of accessing any data."

Section 94 is frequently used by the agencies as legal backing when collecting communications data from service providers and is under the authorisations of the UK Home Secretary – currently conservative MP Theresa May. By circumventing Ripa, the agency could minimise the time it took to get the go-ahead to access data.

GCHQ cyber defense room
CHELTENHAM, ENGLAND - NOVEMBER 17: A general view of the 24 hour Operations Room inside GCHQ, which Chancellor of the Exchequer George Osborne was shown by of Director of GCHQ Robert Hannigan and Cheltenham MP Alex Chalk on November 17, 2015 Ben Birchall - WPA Pool / Getty Images

In response, Thomas admitted the problem was neither "easy nor straightforward." Yet, in any case, he eventually conceded: "I have, therefore, reached the conclusion, not without some difficulty, that the present system for retrieval [under the Telecommunications Act] is lawful. As you say, adhering to the spirit of the legislation is important."

'Lacks sufficient transparency'

After analysing the documents, Privacy International said it was a complete failure in how information commissioners should conduct oversight on sensitive databases used by UK spies.

Caroline Wilson Palow, PI's general counsel, said: "This discussion, between lawyers for MI5 and GCHQ and the interception of communications commissioner, is also an illuminating example of how oversight can go wrong when it lacks sufficient transparency, resources and advocates for the individuals whose privacy may be violated."

Meanwhile, Sir Stanley Burnton, the sitting interception commissioner who was appointed to the role last November, told The Guardian: "We welcome and support Privacy International's proposal for oversight bodies to be supported by public interest advocates and their calls for further transparency in these matters.

"Our review [as demanded by the PI's legal case] has been very challenging because all the section 94 directions are subject to statutory secrecy provisions which limit severely what we are able to say publicly about them.

"Our report sets out an extensive series of recommendations which must be implemented in order to clarify and bring consistency to the procedures in place, remedy the lack of record-keeping requirements and codified processes and ensure that we are able to undertake this additional oversight and audit of the giving and use of section 94 directions properly."

The release of the letters come following a separate release from Privacy International that revealed how UK agencies collect massive amounts of personal data on innocent civilians in the form of 'bulk personal datasets'. The information scooped up includes NHS records, driver license information, passport records and financial information.

Meanwhile, the fresh revelations come as the UK parliament continues to debate the Investigatory Powers Bill – slammed as a Snoopers' Charter by some critics – which would enhance the snooping powers available to the government, police and intelligence agencies.

In a statement to IBTimes UK, the Home Office said it could not offer comment on the documents due to the ongoing legal proceedings. A spokesperson said: The government is committed to providing greater transparency about, and stronger safeguards for, investigatory powers.

"The Investigatory Powers Bill will repeal section 94 of the Telecommunications Act 1984 and will, instead, provide for clearer powers with stronger safeguards - including the 'double lock' and a powerful new Investigatory Powers Commissioner."

This article was updated on 6 June at 16:55 to insert a statement from the UK Home Office